1 / 18

Web Policy Zeitgeist

Web Policy Zeitgeist. Panel Presentation The Semantic Web and Policy Workshop (SWPW) Galway Ireland November 7, 2005. Kent Seamons Internet Security Research Lab Brigham Young University. Zeitgeist.

donnaknight
Download Presentation

Web Policy Zeitgeist

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Policy Zeitgeist Panel Presentation The Semantic Web and Policy Workshop (SWPW) Galway Ireland November 7, 2005 Kent Seamons Internet Security Research Lab Brigham Young University

  2. Zeitgeist Some writers and artists assert that the true zeitgeist of an era cannot be known until it is over Opinions, that deviate from the ruling zeitgeist, always aggravate the crowdGermaine de Stael "the spirit (Geist) of the time (Zeit)“

  3. Outline • Policies must be ? • Opinions based on my experience • The future of Policy Zeitgeist • A challenge to the policy community

  4. My Background • Applied research – industry and academia • Database Systems – my roots • Security in Open Systems – trust negotiation - current research

  5. Security in Open Systems • Closed system: the world of passwords and tokens, identity-based • Open system: authentication with unknown entities (strangers), attribute-based • Example: credit cards—nearly universal trust for financial authentication

  6. Trust Negotiation • Iterative exchange of credentials based on policy requirements • Goals • Automated – little or no user intervention • Open – previously unknown parties may authenticate

  7. Fred the Fire Chief City of “Far Away” Server Info Fire Chief Fire Chief 2 1 2 1 Step 1: Fred requests information from Server Step 2: Server returns access control policy for the info Step 3: Fred discloses his access control policy Step 4: Server discloses his Server credential Step 5: Fred discloses his Fire Chief credential Step 6: Server grants access to the information Info Trust Negotiation Example

  8. Trust Negotiation Policies • Attribute-based policies for authentication and authorization in open systems • Part of a much broader notion of policy • Areas of emphasis (A policy must be …) • Policies are declarative • Easy to use • Too often, only the PhD student that designed a policy language or framework can use it effectively • Flexible / adaptive depending on context • TrustBuilder / GAA-API integration • RESCUE project – emergency response • Context-sensitive trust negotiation - policies that play fair • Hidden credentials – protect sensitive policies

  9. GAA-API/TrustBuilder • GAA-API - provides fine-grained access control and application-level intrusion detection capabilities to applications through a simple API. • TrustBuilder – trust negotiation framework • Integration combines the best of both systems • Detection and thwarting of attacks on electronic business transactions • Adaptation of information disclosure and resource access policies according to a suspicion level • Support of cost effective trust negotiation, such that TrustBuilder is invoked only when negotiation is required by access control policies Ryutov, Zhou, Neuman, Leithead, Seamons. Adaptive Trust Negotiation and Access Control, SACMAT 2005 Ryutov, Zhou, Neuman, Foukia, Leithead, Seamons. Adaptive Trust Negotiation and Access Control for Grids, GRID 2005

  10. TrustBuilder / GAA-API Integration

  11. RESCUE Project • The goal of the RESCUE project is to radically transform the ability of responding organizations to gather, manage, use, and disseminate information within emergency response networks and to the general public • We will design a policy-driven information sharing architecture • Flexible, customizable, dynamic, robust, scalable, policy-driven, highly automated • Policies must support rapid adaptation in the face of unexpected events Funded by National Science Foundation, see www.itr-rescue.org Participant universities: BYU, Colorado, Maryland, UCI, UCSD, UIUC. Industrial partner: ImageCat

  12. Context Sensitive Trust Negotiation • Problem: phishing attacks • Solution: release credentials based on context – “need to know” • Approach: create an ontology to represent a negotiation type to describe relevant credentials • Identify policy errors and malicious phishing attacks • Benefits • Greater protection • Identify policy errors • Efficiency - push relevant credentials Leithead, Challenging Policies that Do Not “Play Fair:” , MS Thesis, BYU, August 2005.

  13. Share 1 Share 2 Share 1 Share 2 Share 1 Hidden Credentials • Hidden credentials encrypt a message so that the recipient can read it iff he has the required credentials • Credentials can be used without disclosing them • Sensitive policies – policy can be hidden FBI Agent SECRET Clearance (symmetric encryption) US Army (IBE Encryption) Bradshaw, Holt, Seamons, Concealing Complex Policies with Hidden Credentials, CCS 2004

  14. Policy Zeitgeist Summary • Policies must be declarative • Policies must flexible • Policies must be easy to configure • Policies must be context sensitive • Policies must adapt to unexpected change • Policies must be easy to diagnose when failure occurs • Policy visibility must be tunable

  15. Future Policy Zeitgeist • We must bridge the gap between industry/government needs and academic research • As an academic, too often I fabricate toy problems in the lab using my imagination • The research process needs more real-world input • My research colleagues and I are taking steps to resolve this • RESCUE project, for instance • Challenge • The policy community must build and maintain a knowledge base to guide the design, development, and analysis of policy-based information systems • I envision something patterned after successful efforts I have observed in the database, parallel computing, networking fields

  16. What it will contain? Requirements suite Ontology of policy types Solutions Frameworks Languages Standards Lessons learned Examples of broken systems Failed approaches Benchmarks Policy language bake-offs Grand challenge applications Policy Knowledge Base Who will contribute? • Government • Industry • Academia • Key sectors • Finance • Health care • Public safety How to evaluate? • Ease of use • Expressiveness • Performance • Scalability • Semantics Who will benefit? • Users • Vendors • Researchers

  17. Policy Knowledge Base - Issues • Policy-based information systems center • Too big for a single organization? • Who will fund? • Will government fund this? • Industry consortium? • Who should lead the effort? • Organizing this effort probably won’t lead to tenure

More Related